Attachment: Excel file with document sharing lure created by Go Excelize
Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content.
Sublime rule (View on GitHub)
1name: "Attachment: Excel file with document sharing lure created by Go Excelize"
2description: "Detects Excel macro files created with the Go Excelize library containing document sharing language such as 'sent document', 'shared file', or 'REVIEW DOCUMENT'. These files are often used as lures to trick users into enabling macros or downloading malicious content."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(filter(attachments,
8 .file_extension in $file_extensions_macros
9 // limit the size to reduce FPs, the larger the document, the more likely it is for FPs on benign automated reports
10 and .size < 2000000
11 ),
12 any(file.explode(.),
13 // document sharing lure
14 (
15 length(.scan.strings.raw, ) < 1000
16 and regex.icontains(.scan.strings.raw,
17 '(?:sent|shared|forwarded|provided|invited|received)(?:\s+\w+){0,9}\s+(?:document|file|attachment)',
18 )
19 )
20 or strings.icontains(.scan.strings.raw,
21 'Please download this spreadsheet or SVG and click'
22 )
23 or (
24 length(.scan.strings.raw) < 500
25 and strings.contains(.scan.strings.raw, 'REVIEW DOCUMENT')
26 )
27 )
28 and beta.parse_exif(.).creator == "xuri"
29 and any(beta.parse_exif(.).fields,
30 .key == "Application" and .value == "Go Excelize"
31 )
32 )
33attack_types:
34 - "Credential Phishing"
35tactics_and_techniques:
36 - "Macros"
37 - "Social engineering"
38detection_methods:
39 - "File analysis"
40 - "Macro analysis"
41 - "Content analysis"
42 - "Exif analysis"
43id: "dfaf267f-2d78-56ff-971e-3a2796c24b56"